similar to: [ANNOUNCE] PKCS#11 support in OpenSSH 4.3p2 (version 0.07)

Hello, The version 0.11 of "PKCS#11 support in OpenSSH" is published. Changes: 1. Updated against OpenSSH 4.3p2. 2. Modified against Roumen Petrov's X.509 patch (version 5.4), so self-signed certificates are treated by the X.509 patch now. 3. Added --pkcs11-x509-force-ssh if X.509 patch applied, until some issues with the X.509 patch are resolved. 4. Fixed issues with gcc-2. You

Hello All, As I promised, I've completed and initial patch for openssh PKCS#11 support. The same framework is used also by openvpn. I want to help everyone who assisted during development. This patch is based on the X.509 patch from http://roumenpetrov.info/openssh/ written by Rumen Petrov, supporting PKCS#11 without X.509 looks like a bad idea. *So the first question is: What is the

Hello OpenSSH developers, A week ago I've posted a patch that enables openssh to work with PKCS#11 tokens. I didn't receive any comments regarding the patch or reply to my questions. In current software world, providing a security product that does not support standard interface for external cryptographic hardware makes the product obsolete. Please comment my patch, so I can know

Hello, PKCS#11 is a standard API interface that can be used in order to access cryptographic tokens. You can find the specification at http://www.rsasecurity.com/rsalabs/node.asp?id=2133, most smartcard and other cryptographic device vendors support PKCS#11, opensc also provides PKCS#11 interface. I can easily make the scard.c, scard-opensc.c and ssh-agent.c support PKCS#11. PKCS#11 is

Hello Andreas, On 10/11/05, Andreas Jellinghaus <aj at dungeon.inka.de> wrote: > Peter Koch pointed me to your posting on openssh-devel mailing list. I am very glad that he did. > I'm one of the opensc people, and from my point of view your idea > is a good one. The current openssh-opensc code has a number of issues, > for example the ssh-agent does not test the pin

https://bugzilla.mindrot.org/show_bug.cgi?id=3635 Bug ID: 3635 Summary: ssh-add -s always asks for PKCS#11 PIN Product: Portable OpenSSH Version: 9.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add Assignee: unassigned-bugs at

Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.5p1. Most of PKCS#11 code is now moved to a standalone library which I call pkcs11-helper, this library is used by all projects that I added PKCS#11 support into. The library can be downloaded from:

ping. I've been using Alon's patch and following his arguments on this list for a while. I want to add my voice to say that the current opensc support should be completely replaced with pkcs#11 support, since it is the right way to handle smart cards. The use case that my organization wants is to use the TPM chips available in most machines as our primary smartcard mechanism,

https://bugzilla.mindrot.org/show_bug.cgi?id=2817 Bug ID: 2817 Summary: Add support for PKCS#11 URIs (RFC 7512) Product: Portable OpenSSH Version: 7.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2186 Bug ID: 2186 Summary: ssh-agent crashes when removing PKCS#11 library keys if non-PKCS#11 keys are present Product: Portable OpenSSH Version: 6.3p1 Hardware: All OS: Mac OS X Status: NEW Severity: minor Priority: P5

Hello all, You may find this interesting: http://jemmari.tky.hut.fi/sc/ Here in Finland, we have cryptocards which have a PKCS#15 interface. They already have RSA keys stored in them, and can be used in various applications. I'm sure they're getting more common elsewhere too. Juha Yrj?l? et al have added support for these as a patch, and are providing libraries (under LGPL though) to

Author: pwernau Repository: /hg/zfs-crypto/gate Revision: ba16e4a9c5255b467f2d29663976000f863c3b71 Log message: PSARC 2005/501 ikecert PKCS#11 object migration and linkage 6219636 ikecert(1m) needs to tie IKE certificate slots to existing PKCS#11 objects 6220119 ikecert certlocal migrate disk key to PKCS#11 token 6232671 Can''t add a certificate to a keystore with ikecert(1m) 6303764 IKE

On 10/8/2015 4:49 AM, Simon Josefsson wrote: > Mathias Brossard <mathias at brossard.org> writes: > >> Hi, >> >> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >> support of ssh-agent which will be of interest to other users. > > Nice! What would it take to add support for Ed25519 too? Do we need to > allocate any new PKCS#11

On Sat, 2020-02-22 at 10:50 -0600, Douglas E Engert wrote: > As a side note, OpenSC is looking at issues with using tokens vs > separate > readers and smart cards. The code paths in PKCS#11 differ. Removing a > card > from a reader leaves the pkcs#11 slot still available. Removing a > token (Yubikey) > removes both the reader and and its builtin smart card. Firefox has a >

Thomas Calderon <calderon.thomas at gmail.com> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with

Hello everyone, as you could have noticed over the years, there are several bugs for PKCS#11 improvement and integration which are slipping under the radar for several releases, but the most painful ones are constantly updated by community to build, work and make our lives better. I wrote some of the patches, provided feedback to others, or offered other help here on mailing list, but did not

Hi all, Someone mentioned today to me, that the "competing virtualisation product" is capable of doing PKCS-forwarding towards a virtual client. So, my question here, does XEN supports PKCS-passthrough? As i also need my smartcard locally (on the hypervisor), i can not use neither pci nor usb-forwarding.... Defensie/CDC/IVENT/Research en Innovation Centrum Ing J. (Hans) Witvliet

Folks, Not very critical - but below would help make the PKCS#11 experience a bit smoother. The, occasionally informative, no-slots message is moved to ?debug?; as otherwise, in a mixed pkcs#11 and file-based environment virtually all non chip-card driven ssh connections spew ?no slot? on stderr. And in day to day use - the only time you want this message is when you are debugging an issue; such

On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > Tone aside, let me second what Bob said. OpenSSH maintainers seem to > be able to find time for many updates and upgrades - but ECC support > over PKCS#11 appears to repulse them for more than two years (I don't > care to check for exactly how many more). There's no "repulsion" involved, just a lack of

https://bugzilla.mindrot.org/show_bug.cgi?id=2808 Bug ID: 2808 Summary: Unable to add certificates to agent when using PKCS#11 backed keys. Product: Portable OpenSSH Version: 7.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: